GSSA-2026-04-VAWHY22026-04-25
1.6 Low

`ENCRYPTION_KEY` reused for JWT signing — cross-purpose key reuse

The same secret signed JWTs and encrypted at-rest data via Cryptr. Compromise of either purpose exposed the other; rotation required dual-impact downtime.

The same secret signed JWTs and encrypted at-rest data via Cryptr, so compromise of either purpose exposed the other and rotation forced dual-impact downtime.